WithSecure Event Collector
#
This Integration is part of the WithSecure Pack.Supported versions
Supported Cortex XSOAR versions: 6.8.0 and later.
WithSecure event collector integration for Cortex XSIAM. This integration was integrated and tested with version 1.0 of WithSecure API
#
Authentication ProcessTo create a Client ID and Client Secret, see this documentation.
#
Configure WithSecure Event Collector in CortexParameter | Description | Required |
---|---|---|
Server URL | True | |
Client ID | Client ID and Client Secret. | True |
Client Secret | True | |
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | False | |
Maximum number of events per fetch, Max 1000 | False | |
Trust any certificate (not secure) | False | |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
with-secure-get-eventsManual command used to fetch events and display them.
#
Base Commandwith-secure-get-events
#
InputArgument Name | Description | Required |
---|---|---|
fetch_from | The date to start collecting the events from. | Optional |
limit | The maximum amount of events to return. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!with-secure-get-events limit=2 fetch_from="90 days"
#
Human Readable Output#
With Secure Eventsaction | clientTimestamp | details | device | engine | id | organization | persistenceTimestamp | serverTimestamp | severity |
---|---|---|---|---|---|---|---|---|---|
created | 2023-03-15T21:58:34Z | incidentPublicId: 4550314-13 fingerprint: 10e34c3d5a3b531505140351b515e5d0f563b761 initialDetectionTimestamp: 1678917621712 risk: MEDIUM categories: LATERAL_MOVEMENT incidentId: b7ffb469-44c2-4cc0-9adb-6a3663bba393 clientTimestamp: 1678917514000 resolution: UNCONFIRMED userSam: NT AUTHORITY\SYSTEM | name: WIN10-TMPLT id: 45581e9d-266c-4676-9f55-1ff36f7519f9 | edr | dae559cd-37fe-3fc8-8fb1-7098c8a4d368_0 | name: Palo Alto_comp id: b856d1ab-29c1-4803-b9b5-91ec7b24f94c | 2023-03-15T22:00:22.985Z | 2023-03-15T22:00:22.574Z | critical |
created | 2023-03-15T14:01:29Z | incidentPublicId: 4550314-5 fingerprint: 3a653902d97ee6aa241b3e4ae18b0c01a32b97fe initialDetectionTimestamp: 1678891152183 risk: HIGH categories: SYSTEM_OR_TOOL_MISUSE incidentId: 3b519e5d-addd-440f-b2b6-d8ab5bb0f4ff clientTimestamp: 1678888889000 resolution: UNCONFIRMED userSam: A-WIN81X64-TEMP\admin | name: A-WIN81X64-TEMP id: fb939719-e4b5-4fb0-bfd9-3e7079833cec | edr | 1efd19d1-64db-3a56-b8fd-8da2cb87dc20_0 | name: Palo Alto_comp id: b856d1ab-29c1-4803-b9b5-91ec7b24f94c | 2023-03-15T14:39:15.695Z | 2023-03-15T14:39:13.022Z | critical |